By Ketevan Kukava-ISOC Georgia*
This article provides a brief overview of the “Data Protection Impact Assessment, European Standards and Recommendations for Georgia” report, funded by the Internet Society Foundation. The views and suggestions presented in this article belong to the author and may not represent the perspectives of the Internet Society Foundation.
As a result of rapid technological development, the scale of the collection and sharing of personal data has significantly increased, which has posed new risks and threats to human rights. Despite bringing significant benefits, the digital era creates certain challenges in terms of privacy and data protection as a large amount of personal information is collected, which is processed in more and more complex ways.
Increasing challenges necessitated further development of European data protection law as legislation had to adequately respond to the threats existing in the digital age and had to create stronger safeguards for the protection of human rights. Adoption of the General Data Protection Regulation (GDPR) and modernization of the CoE Convention 108 ensured higher standards for protecting data subjects’ rights, further accountability of data controllers, and efficient supervision over data protection.
European data protection law aims to create a uniform and consistent legal framework and to ensure the free and unhindered movement of personal data. Considering an unprecedented scale of data processing both in the public and private sectors, providing appropriate safeguards for the protection of data subjects’ rights and interests gains crucial importance.
A data protection impact assessment (DPIA) is one of the important measures foreseen by European law, which enables data controllers to prevent human rights violations by identifying the risks in advance. Such assessment is mandatory when there is a high risk to the rights and freedoms of natural persons.
A DPIA is an important tool directed towards the accountability of the data controllers and the protection of the data subjects’ rights. It can be considered as a form of monitored self-regulation.[1] It obliges companies to identify problems and find solutions, with internal oversight and some external input, accompanied by minimal regulatory supervision.[2]
Increasing challenges necessitated further development of the European data protection law as the legislation had to adequately respond to the threats existing in the digital age and had to create stronger safeguards for the protection of human rights.
According to the GDPR, a data protection impact assessment is particularly important in the following circumstances:
a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the individual or similarly significantly affect him or her;
b) processing on a large scale of special categories of data or personal data relating to criminal convictions and offences;
c) a systematic monitoring of a publicly accessible area on a large scale.[3]
The above-mentioned list is not exhaustive. There may be other processing operations that are likely to result in a high risk to the rights and freedoms of individuals, which should also be subject to the DPIA.
The GDPR lays down the main requirements and criteria with regard to the DPIA. It includes only a brief description of this process and does not specify the methodology. Therefore, data controllers are given certain leeway and are allowed to determine the form and structure of the DPIA. What matters most is that the outcome of this process should be a real identification of risks.
Article 29 Data Protection Working Party[4] (WP29) recommends sector-specific DPIA frameworks because such assessment will consider the specifics of a particular type of processing operation. In this case, the DPIA can address the issues that arise in a specific sector, or when using particular technologies or carrying out particular types of processing operations.[5]
The General Data Protection Regulation is silent on the transparency of a DPIA and does not require its publication. Data controllers can decide on this issue themselves. According to the guidelines of the WP29, controllers should consider publishing at least parts of their DPIA, such as a summary or conclusion. This will foster trust in the processing operations as well as promote accountability and transparency.[6]
As for Georgia, the association agreement with the European Union[7] and its agenda[8] envisage ensuring a high level of protection of personal data in Georgia. However, Georgian legislation currently in force is not fully compliant with the requirements of the European data protection law and does not foresee important novelties introduced by the Council of Europe and the EU legal instruments.
In 2019 the State Inspector Service drafted a legislative amendment package[9] aimed at harmonizing Georgian legislation with European standards, however, it has not been adopted yet. Furthermore, as of today, Georgia has not signed CETS No. 223 protocol amending the Convention 108 (Convention 108+)[10] either.
The Draft Law of Georgia on Personal Data Protection initiated in the Parliament in 2019 among other issues regulates data protection impact assessment, the designation of data protection officers, and profiling, which should be positively assessed. However, at the same time, the daft law needs improvement in some respects.
The draft law should lay down the obligation of the Personal Data Protection Service to develop and publish the list of a kind of processing operations, which are subject to the requirement for a data protection impact assessment. When fulfilling this duty, the PDP Service should take into account the criteria determined by Article 29 Working Party. The creation of such a list will ensure legal certainty and foreseeability. Moreover, it is advisable for the supervisory authority to determine those processing operations, which are not subject to the requirement for a DPIA.
In conclusion, the Georgian legislation should respond to the challenges existing in the digital age and should provide appropriate safeguards for the protection of data subjects’ rights, freedoms and interests. Harmonization with European standards and implementation of the novelties foreseen by the European data protection law will be an important step forward in terms of European integration and, at the same time, will facilitate strengthening human rights protection in Georgia.
See the full report.
*Ketevan Kukava is a co-founder and director of a Georgian nonprofit organization “Law and Public Policy Center” and a head of the personal data protection special interest group at Internet Society – Georgia Chapter.
[1] Kaminski M, E., Malgieri, G., Algorithmic impact assessments under the GDPR: producing multi-layered explanations, International Data Privacy Law, 2021, Vol. 11, No. 2, p. 131.
[2] Ibid.
[3] General Data Protection Regulation, Article 35 (3).
[4] Article 29 Data Protection Working Party is an advisory body established by the Data Protection Directive. From 25 May 2018 it was replaced by European Data Protection Board – a body established by the General Data Protection Regulation. During its first plenary meeting the European Data Protection Board endorsed the GDPR related WP29 Guidelines.
Available at: https://bit.ly/3jeF0YL (accessed 05.12.2022)
[5] Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, 2017, p. 17.
[6] Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, 2017, p. 18.
[7] Association Agreement between the European Union and the European Atomic Energy Community and their Member States, of the one part, and Georgia, of the other part, Article 14, available at: https://bit.ly/2Xe5UUF (accessed 01.12.2022).
[8] The EU-Georgia Association Agenda, available at: https://bit.ly/3JIRVNy (accessed 01.12.2022).
[9] Draft Law of Georgia on Personal Data Protection and accompanying legislative amendments, available at: https://bit.ly/3FhrVVF (accessed 01.12.2022).
[10] Status of signatures and ratifications is available at: https://bit.ly/3Rh1THX (accessed 31.01.2023).